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Introduction 


The Information Commissioner is seeking feedback on her draft code of 
practice Age appropriate design - a code of practice for online services 
likely to be accessed by children (the code). 


The code will provide guidance on the design standards that the 
Commissioner will expect providers of online ‘Information Society 
Services’ (ISS), which process personal data and are likely to be accessed 
by children, to meet. 


The code is now out for public consultation and will remain open until 31 
May 2019. The Information Commissioner welcomes feedback on the 
specific questions set out below. 


Please send us your comments by 31 May 2019. 


Download this document and email to: 


ageappropriatedesign@ico.org.uk 


Print off this document and post to: 
Age Appropriate Design code consultation 
Policy Engagement Department 
Information Commissioner's Office 
Wycliffe House 

Water Lane 

Wilmslow 

Cheshire SK9 5AF 


If you would like further information on the consultation please 
telephone 0303 123 1113 and ask to speak to the Policy 
Engagement Department about the Age Appropriate Design code or 


email_ageappropriatedesign@ico.org.uk 


Privacy statement 


For this consultation, we will publish all responses except for those where 
the respondent indicates that they are an individual acting in a private 
capacity (e.g. a member of the public or a parent). All responses from 
organisations and individuals responding in a professional capacity (e.g. 
academics, child development experts, sole traders, child minders, 
education professionals) will be published. We will remove email 
addresses and telephone numbers from these responses but apart from 
this, we will publish them in full. 


For more information about what we do with personal data, please see 
our privacy notice. 


Section 1: Your views 


Q1. Is the ‘About this code’ section of the code clearly communicated? 


Yes 

ACT | The App Association appreciates the ICO's description of the 
intent of this code and how it should be used. We support ICO's efforts 
to provide non-binding and technology neutral guidance to assist those 
offering information society services. 


Q2. Is the ‘Services covered by this code’ section of the code clearly 
communicated? 


No 

We appreciate ICO's discussion of the scope of the term "information 
society services’ and the applicability of UK law in the context of 
protecting children. However, we believe that the ICO's discussion of 
the services covered by this code is abstract and of limited utility, 
particularly for small business digital economy innovators who do not 
have large budgets for legal compliance. We strongly urge ICO to 
provide more precise language (more precise than, for example, 
“Essentially this means") and to provide numerous examples of 
information society services that ICO believes are subject to relevant 
laws and this code, as well as those that fall outside of this scope. 


The App Association also requests the the ICO address where liability 
begins and ends in the context of third parties (e.g., platforms, plug-in 


creators, and analytics providers) in this section. Such third parties may 
have no idea as to whether the innovation they provide is being used in 
a way that would give rise to information society services under this 
code. The App Association requests that, when a third party is not 
clearly informed that the product or service it is providing is intended to 
be an information society service, it shall not face liability under the 
Data Protection Act 2018 or the GDPR in the UK. Without this important 
clarification, it would force such third parties to take severe steps to 
prevent liability exposure, unfairly raising the costs of development for 
small business software service providers. ICO should communicate this 
clarification in a new additional subsection. 


Standards of age-appropriate design 


Please provide your views on the sections of the code covering each of 
the 16 draft standards 


1. Best interests of the child: The best interests of the child should be 
a primary consideration when you design and develop online services 
likely to be accessed by a child. 


2. Age-appropriate application: Consider the age range of your 
audience and the needs of children of different ages. Apply the standards 
in this code to all users, unless you have robust age-verification 
mechanisms to distinguish adults from children. 


3. Transparency: The privacy information you provide to users, and 
other published terms, policies and community standards, must be 
concise, prominent and in clear language suited to the age of the child. 
Provide additional specific ‘bite-sized’ explanations about how you use 
personal data at the point that use is activated. 


4. Detrimental use of data: Do not use children’s personal data in ways 
that have been shown to be detrimental to their wellbeing, or that go 


against industry codes of practice, other regulatory provisions or 
Government advice. 


5. Policies and community standards: Uphold your own published 
terms, policies and community standards (including but not limited to 
privacy policies, age restriction, behaviour rules and content policies). 


6. Default settings: Settings must be "high privacy” by default (unless 
you can demonstrate a compelling reason for a different default setting, 
taking account of the best interests of the child). 


7. Data minimisation: Collect and retain only the minimum amount of 

personal data necessary to provide the elements of your service in which 
a child is actively and knowingly engaged. Give children separate choices 
over which elements they wish to activate. 


8. Data sharing: Do not disclose children's data unless you can 
demonstrate a compelling reason to do so, taking account of the best 
interests of the child. 


9. Geolocation: Switch geolocation options off by default (unless you can 
demonstrate a compelling reason for geolocation, taking account of the 
best interests of the child), and provide an obvious sign for children when 
location tracking is active. Options which make a child’s location visible to 
others must default back to off at the end of each session. 


10. Parental controls: If you provide parental controls give the child 
age appropriate information about this. If your online service allows a 
parent or carer to monitor their child’s online activity or track their 
location, provide an obvious sign to the child when they are being 
monitored. 


11. Profiling: Switch options based on profiling off by default (unless you 
can demonstrate a compelling reason for profiling, taking account of the 
best interests of the child). Only allow profiling if you have appropriate 
measures in place to protect the child from any harmful effects (in 
particular, being fed content that is detrimental to their health or 
wellbeing). 


12. Nudge techniques: Do not use nudge techniques to lead or 
encourage children to provide unnecessary personal data, weaken or turn 
off privacy protections, or extend use. 


13. Connected toys and devices: If you provide a connected toy or 
device ensure you include effective tools to enable compliance with this 
code 


14. Online tools: Provide prominent and accessible tools to help children 
exercise their data protection rights and report concerns. 


15. Data protection impact assessments: Undertake a DPIA 
specifically to assess and mitigate risks to children who are likely to 
access your service, taking into account differing ages, capacities and 
development needs. Ensure that your DPIA builds in compliance with this 
code. 


16. Governance and accountability: Ensure you have policies and 
procedures in place which demonstrate how you comply with data 
protection obligations, including data protection training for all staff 
involved in the design and development of online services likely to be 
accessed by children. Ensure that your policies, procedures and terms of 
service demonstrate compliance with the provisions of this code 


Q3. Have we communicated our expectations for this standard clearly? 
1. Best interests of the child 


Yes 


2. Age-appropriate application 
Yes 


3. Transparency 
Yes 


4. Detrimental use of data 
No 
We understand that illegal use of data would be detrimental, but request 


clarity as to the meaning of "any use of data that is obviously detrimental 
to children’s physical or mental health and wellbeing." Without further 


detail as to this proposal, we cannot determine a standard of behavior. 
We suggest that ICO delete this language, or alternatively change it to 
say "any use of data reasonably understood to be detrimental to 
children's physical or mental health and wellbeing." 


5. Policies and community standards 
Yes 


6. Default settings 
No 


ICO recommends that the default position "for each individual privacy 
setting should be privacy enhancing or ‘high privacy’." ACT | The App 
Association believes this recommendation is consistent with the approach 
that its members take with regard to information society services 
generally, and particularly for children. However, we are left to wonder 
exactly how the quoted term "high privacy' is defined by ICO (as 
compared to ‘low privacy' and 'medium privacy'). We request that ICO 
provide an adequate explanation of the term ‘high privacy' (contrasted 
with 'low' and 'medium' privacy) or alternatively that ICO delete this 
phrasing from its code. 

7. Data minimisation 

Yes 


8. Data sharing 
Yes 


9. Geolocation 
Yes 


10. Parental controls 
No 


11. Profiling 
Yes 


12. Nudge techniques 


Yes 


13. Connected toys and devices 
Yes 


14. Online tools 
Yes 


15. Data protection impact assessments 
Yes 


16. Governance and accountability 


Yes 


Q4. Do you have any examples that you think could be used to illustrate 
the approach we are advocating for this standard? 


1. Best interests of the child 


Yes 


For this standard, we strongly recommend including numerous detailed 
use cases of information society services showing what the ICO believes 
is appropriate as well as inappropriate. Such an approach will make the 
code's guidance much more actionable to stakeholders, particularly small 
business innovators who do not have extensive budgets for compliance 
projects. 


2. Age-appropriate application 
Yes 


For this standard, we strongly recommend including numerous detailed 
use cases of information society services showing what the ICO believes 
is appropriate as well as inappropriate. Such an approach will make the 
code's guidance much more actionable to stakeholders, particularly small 
business innovators who do not have extensive budgets for compliance 
projects. 

3. Transparency 


Yes 


For this standard, we strongly recommend including numerous detailed 
use cases of information society services showing what the ICO believes 
is appropriate as well as inappropriate. Such an approach will make the 
code's guidance much more actionable to stakeholders, particularly small 
business innovators who do not have extensive budgets for compliance 
projects. 

4. Detrimental use of data 


Yes 


For this standard, we strongly recommend including numerous detailed 
use cases of information society services showing what the ICO believes 
is appropriate as well as inappropriate. Such an approach will make the 
code's guidance much more actionable to stakeholders, particularly small 
business innovators who do not have extensive budgets for compliance 
projects. 


5. Policies and community standards 
Yes 


For this standard, we strongly recommend including numerous detailed 
use cases of information society services showing what the ICO believes 
is appropriate as well as inappropriate. Such an approach will make the 
code's guidance much more actionable to stakeholders, particularly small 
business innovators who do not have extensive budgets for compliance 
projects. 

6. Default settings: 
Yes 


For this standard, we strongly recommend including numerous detailed 
use cases of information society services showing what the ICO believes 
is appropriate as well as inappropriate. Such an approach will make the 
code's guidance much more actionable to stakeholders, particularly small 
business innovators who do not have extensive budgets for compliance 
projects. 

7. Data minimisation 
Yes 


For this standard, we strongly recommend including numerous detailed 
use cases of information society services showing what the ICO believes 
is appropriate as well as inappropriate. Such an approach will make the 
code's guidance much more actionable to stakeholders, particularly small 
business innovators who do not have extensive budgets for compliance 
projects. 

8. Data sharing 


Yes 


For this standard, we strongly recommend including numerous detailed 
use cases of information society services showing what the ICO believes 
is appropriate as well as inappropriate. Such an approach will make the 
code's guidance much more actionable to stakeholders, particularly small 
business innovators who do not have extensive budgets for compliance 
projects. 

9. Geolocation 
Yes 


For this standard, we strongly recommend including numerous detailed 
use cases of information society services showing what the ICO believes 
is appropriate as well as inappropriate. Such an approach will make the 
code's guidance much more actionable to stakeholders, particularly small 
business innovators who do not have extensive budgets for compliance 
projects. 

10. Parental controls 
Yes 


For this standard, we strongly recommend including numerous detailed 
use cases of information society services showing what the ICO believes 
is appropriate as well as inappropriate. Such an approach will make the 
code's guidance much more actionable to stakeholders, particularly small 
business innovators who do not have extensive budgets for compliance 
projects. 

11. Profiling 
Yes 


For this standard, we strongly recommend including numerous detailed 
use cases of information society services showing what the ICO believes 
is appropriate as well as inappropriate. Such an approach will make the 
code's guidance much more actionable to stakeholders, particularly small 
business innovators who do not have extensive budgets for compliance 
projects. 

12. Nudge techniques 
Yes 


For this standard, we strongly recommend including numerous detailed 
use cases of information society services showing what the ICO believes 
is appropriate as well as inappropriate. Such an approach will make the 
code's guidance much more actionable to stakeholders, particularly small 
business innovators who do not have extensive budgets for compliance 
projects. 


13. Connected toys and devices 


Yes 


For this standard, we strongly recommend including numerous detailed 
use cases of information society services showing what the ICO believes 
is appropriate as well as inappropriate. Such an approach will make the 
code's guidance much more actionable to stakeholders, particularly small 
business innovators who do not have extensive budgets for compliance 
projects. 

14. Online tools 
Yes 


For this standard, we strongly recommend including numerous detailed 
use cases of information society services showing what the ICO believes 
is appropriate as well as inappropriate. Such an approach will make the 
code's guidance much more actionable to stakeholders, particularly small 
business innovators who do not have extensive budgets for compliance 
projects. 

15. Data protection impact assessments 
Yes 


For this standard, we strongly recommend including numerous detailed 
use cases of information society services showing what the ICO believes 
is appropriate as well as inappropriate. Such an approach will make the 
code's guidance much more actionable to stakeholders, particularly small 
business innovators who do not have extensive budgets for compliance 
projects. 

16. Governance and accountability 


Yes 


For this standard, we strongly recommend including numerous detailed 
use cases of information society services showing what the ICO believes 
is appropriate as well as inappropriate. Such an approach will make the 
code's guidance much more actionable to stakeholders, particularly small 
business innovators who do not have extensive budgets for compliance 
projects. 


Q5. Do you think this standard gives rise to any unwarranted or 
unintended consequences? 


1. Best interests of the child 


No 


ACT | The App Association appreciates considering the "best interests of 
the child" throughout the lifecycle of an information society service. 


2. Age-appropriate application 
No 


ACT | The App Association members take the privacy and security of 
children very seriously and seek to exceed legal requirements due to a 
commitment to a safe experience for children (and their parents) online 
and through apps. We appreciate ICO's recommendation that "robust 
age-verification...will provide the clearest evidence" of what ages are 
intended to use an information society service. 

3. Transparency 

No 


ACT | The App Association is fully committed to being clear, open, and 
honest with users about what they can expect when they access an online 
service. We appreciate the ICO's proposed guidance as to clearly 
communicating necessary information to end users including children. 

4. Detrimental use of data 


Yes 


ACT | The App Assocition does not believe ICO is warranted in prohibiting 
sticky’ features include mechanisms such as reward loops, continuous 
scrolling, notifications and auto-play features which encourage users to 
continue playing a game, watching video content or otherwise staying 
online" because the ICO has not yet developed a view as to these 
mechanisms and their relationship to childrens' health and wellbeing. ICO 
should base its regulations and guidance on comprehensive evidence- 
based analyses; to suggest that a developer should not do something 
until ICO gives it express permission when such an activity may be in 
compliance with UK laws and the GDPR would freeze the use of 
innovative features that may very well advance the ICO's interests (e.g., 
transparency) without justification. Further, should the ICO's logic be 
applied more broadly, it would create an unneccessarily rigid environment 
for information society services. We strongly encourage ICO to withdraw 
its recommendation against utilizing such mechanisms in its code. 


5. Policies and community standards 
No 


ACT | The App Association supports ICO's recommendation for 
adherence to published terms and conditions and policies, as well as to 
actively enforce those published terms and condition and policies. 

6. Default settings 

Yes 


ICO recommends that a developer "should reset existing user settings as 
soon as is practicable, and in any case within [x] months of this code 
coming into force." ACT | The App Association believes that this 
recommendation does not give due credit to (1) developers that work 
hard to clearly communicate settings, tiers, etc. to users that can be 
relied upon or (2) end users who review their choices and make informed 
decisions. A default reset of settings would largely serve as an 
inconvenience to end users and a disruption of the trust they may have 
chosen to place in a information society service, potentially reducing a 
developer's user base for no reason. We recommend that ICO withdraw 
this recommendation from its code. 

7. Data minimisation 

No 


8. Data sharing 
No 


9. Geolocation 
Yes 


ICO recommends that "any option which make the child’s location visible 
to others is subject to a privacy setting which reverts to ‘off’ every after 
each session," unless "a compelling reason to do otherwise taking into 
account the best interests of the child" can be demonstrated. If a parent 
makes an informed decision to permit an app to geo-track their child, we 
see no purpose in reverting the setting to prohibit such tracking after 
each use. A default reset of settings for the sake of resetting settings 
would largely serve as an inconvenience to end users and a disruption of 
the trust they may have chosen to place in a information society service, 
potentially reducing a developer's user base for no reason. We 
recommend that ICO clarify that a parent's informed consent to permit 
geo-tracking by an information society service addressed by this code be 
a clear demonstration of a compelling reaons to permit geo-tracking as 
an exception to its recommendation. 

10. Parental controls 

Yes 


ACT | The App Association questions why ICO would include such a 
provision in its code when a parent may wish to monitor their child's 
activity without "age appropriate resources to explain the service to the 
child so that they are aware that their activity is being monitored by their 
parents, or their location tracked." Some parents may indeed wish to 
communicate this information to their child, but others may not. With 
parents making legal decisions for their children, we do not understand 
why ICO would mandate such disclosure and promote a one-size-fits-all 
approach. Further, ICO provides no specific legal basis for such a 


requirement. The net effect of this ICO policy will be to introduce 
unnecessary (and at times unwanted) features into information society 
services. We therefore request that ICO revise this recommendation to 
permit the parent of a child to communicate desired information related 
to activity monitoring and location tracking. 

11. Profiling 

No 


If YES, then please provide your reasons for this view. 
12. Nudge techniques 
Yes 


ACT | The App Association agrees that nudging techniques to lead 
children to make poor privacy decisions. However, ICO also recommends 
that nudging techniques be used to encourage "pro-privacy" decisions. 
There is confusion as to where the line is between where using nudging 
techniques will be appropriate or not under the ICO's guidance, leaving 
this interpretation open to wide interpretation. We request further detail 
as to when and how this code envisions nudging techniques being used 
(ideally, in a two-columned chart, one column giving examples of 
apporpriate uses and the other providing examples of inappropriate 
uses). 

13. Connected toys and devices 

No 


14. Online tools 
No 


15. Data protection impact assessments 
No 


16. Governance and accountability 


Yes 


Many small business innovators do not have extensive resources to put 
into attaining certifitications. ACT | The App Association agrees that 
attaining certifications to GDPR compliance addressed in Article 42 of the 
GDPR can assist in providing assurances to third parties of compliance, 
but we urge ICO to recognise and acknowledge that where certifications 
may be expensive for small businesses, they are not required as there 
are other means to demonstrate compliance with UK law and the GDPR. 


Q6. Do you envisage any feasibility challenges to online services 
delivering this standard? 


1. Best interests of the child 


No 


2. Age-appropriate application 
No 


3. Transparency 
No 


4. Detrimental use of data 


Yes 


ACT | The App Assocition does not believe ICO is warranted in 
prohibiting "sticky’ features include mechanisms such as reward loops, 
continuous scrolling, notifications and auto-play features which 
encourage users to continue playing a game, watching video content or 
otherwise staying online" because the ICO has not yet developed a view 
as to these mechanisms and their relationship to childrens' health and 
wellbeing. ICO should base its regulations and guidance on 
comprehensive evidence-based analyses; to suggest that a developer 
should not do something until ICO gives it express permission when 
such an activity may be in compliance with UK laws and the GDPR 
would freeze the use of innovative features that may very well advance 
the ICO's interests (e.g., transparency) without justification. Further, 
should the ICO's logic be applied more broadly, it would create an 
unneccessarily rigid environment for information society services. We 
strongly encourage ICO to withdraw its recommendation against 
utilizing such mechanisms in its code. 


5. Policies and community standards 
No 


6. Default settings 
Yes 


ICO recommends that a developer "should reset existing user settings 
as soon as is practicable, and in any case within [x] months of this code 
coming into force." ACT | The App Association believes that this 
recommendation does not give due credit to (1) developers that work 


hard to clearly communicate settings, tiers, etc. to users that can be 
relied upon or (2) end users who review their choices and make 
informed decisions. A default reset of settings would largely serve as an 
inconvenience to end users and a disruption of the trust they may have 
chosen to place in a information society service, potentially reducing a 
developer's user base for no reason. We recommend that ICO withdraw 
this recommendation from its code. 

7. Data minimisation 

No 


8. Data sharing 
No 


9. Geolocation 
Yes 


ICO recommends that "any option which make the child’s location 
visible to others is subject to a privacy setting which reverts to ‘off’ 
every after each session," unless "a compelling reason to do otherwise 
taking into account the best interests of the child" can be demonstrated. 
If a parent makes an informed decision to permit an app to geo-track 
their child, we see no purpose in reverting the setting to prohibit such 
tracking after each use. A default reset of settings for the sake of 
resetting settings would largely serve as an inconvenience to end users 
and a disruption of the trust they may have chosen to place ina 
information society service, potentially reducing a developer's user base 
for no reason. We recommend that ICO clarify that a parent's informed 
consent to permit geo-tracking by an information society service 
addressed by this code be a clear demonstration of a compelling reason 
to permit geo-tracking as an exception to its recommendation. 

10. Parental controls 

Yes 


ACT | The App Association questions why ICO would include such a 
provision in its code when a parent may wish to monitor their child's 
activity without "age appropriate resources to explain the service to the 
child so that they are aware that their activity is being monitored by 
their parents, or their location tracked." Some parents may indeed wish 
to communicate this information to their child, but others may not. With 
parents making legal decisions for their children, we do not understand 
why ICO would mandate such disclosure and promote a one-size-fits-all 
approach. Further, ICO provides no specific legal basis for such a 
requirement. The net effect of this ICO policy will be to introduce 
unnecessary (and at times unwanted) features into information society 
services. We therefore request that ICO revise this recommendation to 


permit the parent of a child to communicate desired information related 
to activity monitoring and location tracking. 


11. Profiling 
No 


12. Nudge techniques 
Yes 


ACT | The App Association agrees that nudging techniques to lead 
children to make poor privacy decisions. However, ICO also 
recommends that nudging techniques be used to encourage "pro- 
privacy" decisions. There is confusion as to where the line is between 
where using nudging techniques will be appropriate or not under the 
ICO's guidance, leaving this interpretation open to wide interpretation. 
We request further detail as to when and how this code envisions 
nudging techniques being used (ideally, in a two-columned chart, one 
column giving examples of apporpriate uses and the other providing 
examples of inappropriate uses). 

13. Connected toys and devices 

No 


14. Online tools 
No 


15. Data protection impact assessments 
No 


16. Governance and accountability 


Yes 

Many small business innovators do not have extensive resources to put 
into attaining certifitications. ACT | The App Association agrees that 
attaining certifications to GDPR compliance addressed in Article 42 of 
the GDPR can assist in providing assurances to third parties of 
compliance, but we urge ICO to recognise and acknowledge that where 
certifications may be expensive for small businesses, they are not 
required as there are other means to demonstrate compliance with UK 
law and the GDPR. 


Q7. Do you think this standard requires a transition period of any longer 
than 3 months after the code come into force? 


1. Best interests of the child 


Yes 


Smaller businesses do not necessarily have dedicated resources set 
aside for compliance projects such as the type of project that would be 
needed to align with this ICO code. To provide these smaller businesses 
with adequate time to make changes to their information society 
services to align with this ICO code, we request a minimum of 12 
months to ease legal compliance costs and to allocate internal 
programming resources. 


2. Age-appropriate application 
Yes 


Smaller businesses do not necessarily have dedicated resources set 
aside for compliance projects such as the type of project that would be 
needed to align with this ICO code. To provide these smaller businesses 
with adequate time to make changes to their information society 
services to align with this ICO code, we request a minimum of 12 
months to ease legal compliance costs and to allocate internal 
programming resources. 

3. Transparency 

Yes 


Smaller businesses do not necessarily have dedicated resources set 
aside for compliance projects such as the type of project that would be 
needed to align with this ICO code. To provide these smaller businesses 
with adequate time to make changes to their information society 
services to align with this ICO code, we request a minimum of 12 
months to ease legal compliance costs and to allocate internal 
programming resources. 

4. Detrimental use of data 


Yes 


Smaller businesses do not necessarily have dedicated resources set 
aside for compliance projects such as the type of project that would be 
needed to align with this ICO code. To provide these smaller businesses 
with adequate time to make changes to their information society 
services to align with this ICO code, we request a minimum of 12 
months to ease legal compliance costs and to allocate internal 
programming resources. 


5. Policies and community standards 


Yes 


Smaller businesses do not necessarily have dedicated resources set 
aside for compliance projects such as the type of project that would be 
needed to align with this ICO code. To provide these smaller businesses 
with adequate time to make changes to their information society 
services to align with this ICO code, we request a minimum of 12 
months to ease legal compliance costs and to allocate internal 
programming resources. 

6. Default settings 

Yes 


Smaller businesses do not necessarily have dedicated resources set 
aside for compliance projects such as the type of project that would be 
needed to align with this ICO code. To provide these smaller businesses 
with adequate time to make changes to their information society 
services to align with this ICO code, we request a minimum of 12 
months to ease legal compliance costs and to allocate internal 
programming resources. 

7. Data minimisation 

Yes 


Smaller businesses do not necessarily have dedicated resources set 
aside for compliance projects such as the type of project that would be 
needed to align with this ICO code. To provide these smaller businesses 
with adequate time to make changes to their information society 
services to align with this ICO code, we request a minimum of 12 
months to ease legal compliance costs and to allocate internal 
programming resources. 

8. Data sharing 

Yes 


Smaller businesses do not necessarily have dedicated resources set 
aside for compliance projects such as the type of project that would be 
needed to align with this ICO code. To provide these smaller businesses 
with adequate time to make changes to their information society 
services to align with this ICO code, we request a minimum of 12 
months to ease legal compliance costs and to allocate internal 
programming resources. 

9. Geolocation 

Yes 


Smaller businesses do not necessarily have dedicated resources set 
aside for compliance projects such as the type of project that would be 
needed to align with this ICO code. To provide these smaller businesses 
with adequate time to make changes to their information society 
services to align with this ICO code, we request a minimum of 12 


months to ease legal compliance costs and to allocate internal 
programming resources. 

10. Parental controls 

Yes 


Smaller businesses do not necessarily have dedicated resources set 
aside for compliance projects such as the type of project that would be 
needed to align with this ICO code. To provide these smaller businesses 
with adequate time to make changes to their information society 
services to align with this ICO code, we request a minimum of 12 
months to ease legal compliance costs and to allocate internal 
programming resources. 

11. Profiling 

Yes 


Smaller businesses do not necessarily have dedicated resources set 
aside for compliance projects such as the type of project that would be 
needed to align with this ICO code. To provide these smaller businesses 
with adequate time to make changes to their information society 
services to align with this ICO code, we request a minimum of 12 
months to ease legal compliance costs and to allocate internal 
programming resources. 

12. Nudge techniques 

Yes 


Smaller businesses do not necessarily have dedicated resources set 
aside for compliance projects such as the type of project that would be 
needed to align with this ICO code. To provide these smaller businesses 
with adequate time to make changes to their information society 
services to align with this ICO code, we request a minimum of 12 
months to ease legal compliance costs and to allocate internal 
programming resources. 

13. Connected toys and devices 

Yes 


Smaller businesses do not necessarily have dedicated resources set 
aside for compliance projects such as the type of project that would be 
needed to align with this ICO code. To provide these smaller businesses 
with adequate time to make changes to their information society 
services to align with this ICO code, we request a minimum of 12 
months to ease legal compliance costs and to allocate internal 
programming resources. 

14. Online tools 

Yes 


Smaller businesses do not necessarily have dedicated resources set 
aside for compliance projects such as the type of project that would be 
needed to align with this ICO code. To provide these smaller businesses 


with adequate time to make changes to their information society 
services to align with this ICO code, we request a minimum of 12 
months to ease legal compliance costs and to allocate internal 
programming resources. 

15. Data protection impact assessments 

Yes 


Smaller businesses do not necessarily have dedicated resources set 
aside for compliance projects such as the type of project that would be 
needed to align with this ICO code. To provide these smaller businesses 
with adequate time to make changes to their information society 
services to align with this ICO code, we request a minimum of 12 
months to ease legal compliance costs and to allocate internal 
programming resources. 


16. Governance and accountability 


Yes 


Smaller businesses do not necessarily have dedicated resources set 
aside for compliance projects such as the type of project that would be 
needed to align with this ICO code. To provide these smaller businesses 
with adequate time to make changes to their information society 
services to align with this ICO code, we request a minimum of 12 
months to ease legal compliance costs and to allocate internal 
programming resources. 


Q8. Do you know of any online resources that you think could be usefully 
linked to from this section of the code? 


1. Best interests of the child 


No 


2. Age-appropriate application 
No 


3. Transparency 
No 


4. Detrimental use of data 


No 


5. Policies and community standards 
No 


6. Default settings 
No 


7. Data minimisation 
No 


8. Data sharing 
No 


9. Geolocation 
No 


10. Parental controls 
No 


11. Profiling 
No 


12. Nudge techniques 
No 


13. Connected toys and devices 
No 


14. Online tools 
No 


15. Data protection impact assessments 
No 


16. Governance and accountability 


No 


Q9. Is the ‘Enforcement of this code” section clearly communicated? 


Yes 


Q10. Is the ‘Glossary’ section of the code clearly communicated? 


Yes 


Q11. Are there any key terms missing from the ‘Glossary’ section? 


No 


Q12. Is the ‘Annex A: Age and developmental stages’ section of the 
code clearly communicated? 


Yes 


Q13. Is there any information you think needs to be changed in the 
"Annex A: Age and developmental stages’ section of the code? 


No 


Q14. Do you know of any online resources that you think could be 
usefully linked to from the ‘Annex A: Age and developmental 
stages’ section of the code? 


No 


Q15. Is the ‘Annex B: Lawful basis for processing’ section of the 
code clearly communicated? 


Yes 


Q16. Is this ‘Annex C: Data Protection Impact Assessments’ 
section of the code clearly communicated? 


Yes 


Q17. Do you think any issues raised by the code would benefit from 
further (post publication) work, research or innovation? 


Yes 


ACT | The App Association’s members are working hard to change the 
very nature of our children’s lives through smart device applications 
that help them learn, explore, and communicate. With thousands of 
parent developers, our members understand most clearly the need to 
protect children in the mobile and internet environment. There is no 
group of people with stronger knowledge and the frontline experience to 
understand that privacy and innovation are not in conflict. What can 
create conflict is well-meaning regulation that errs on the side of 
proscribing innovation in the name of protecting privacy. We strongly 
urge ICO to ensure that its regulations and its code do not discourage 
or cast out any new innovations that may enable improved and 
streamlined information society services while protecting childrens’ 
privacy. We urge ICO to take a "do no harm" to new and innovative 
information society services in its efforts to develop this code in 
furthering applicable UK law and the GDPR. 


We also request that this ICO code discuss and account for Trans- 
Atlantic data flows by clearly explaining this code's (and UK law's and 
the GDPR's) relationship to the EU-US Privacy Shield. 


Section 2: About you 


Åre you: 


A body representing the views or interests of children? 


Please specify: 


A body representing the views or interests of parents? 


Please specify: L] 
A child development expert? 

Please specify: L] 
An Academic? 

Please specify: L] 
An individual acting in another professional capacity? 

Please specify: L] 
A provider of an ISS likely to be accessed by children? 

Please specify: L] 
A trade association representing ISS providers? 

Please specify: 

ACT | The App Association represents thousands of small 


business software application development companies 
and technology firms that create the software apps used 
on mobile devices and in enterprise systems around the 
globe. Alongside the world’s rapid embrace of mobile 


technology, our members have been creating innovative 
solutions that power the internet of things (IoT) across 
modalities and segments of the economy. Today, the App 
Association’s members provide the touchpoint for the 
cross-sectoral IoT. Our members are working hard to 
change the very nature of our children's lives through 
smart device applications that help them learn, explore, 
and communicate. With thousands of parent developers, 
our members understand most clearly the need to 
protect children in the mobile and internet environment. 
There is no group of people with stronger knowledge and 
the frontline experience to understand that privacy and 
innovation are not in conflict. Please visit 
https://actonline.org/. 


An individual acting in a private capacity (e.g. someone 
providing their views as a member of the public of the 
public or a parent)? 


An ICO employee? 


Other? 


Please specify: 


Thank you for responding to this consultation. 


We value your input. 


